Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 191

    Page 191 8-39 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-5 Test Bind to Server Dialog Box For more information, see Creating External LDAP Identity Stores, page 8-26. NoteThe default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco NAC Profiler Installation and Configuration Guide at the following location:... 
    8-39
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Figure 8-5 Test Bind to Server Dialog Box
For more information, see Creating External LDAP Identity Stores, page 8-26.
NoteThe default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco 
NAC Profiler Installation and Configuration Guide at the following location:...

    Page 192

    Page 192 8-40 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Number of Subjects: 100 Number of Directory Groups: 6 Figure 8-7 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler). After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch... 
    8-40
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Number of Subjects: 100
Number of Directory Groups: 6
Figure 8-7 Test Configuration Dialog Box
Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC 
Profiler (actual devices enabled for Profiler). 
After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch...

    Page 193

    Page 193 8-41 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Event Delivery Method and Active Response, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1 at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.html Troubleshooting MAB Authentication with Profiler Integration To... 
    8-41
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
For more information on features like Event Delivery Method and Active Response, see the Cisco NAC 
Profiler Installation and Configuration Guide, Release 3.1 at the following location: 
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.html
Troubleshooting MAB Authentication with Profiler Integration
To...

    Page 194

    Page 194 8-42 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The AD user password change using the above methods must follow the AD password policy. You must check with your AD administrator to know the complete AD password policy rule. AD password policy important rules are: Enforce password history N passwords remembered Maximum password age N days Minimum password age N days Minimum password length N... 
    8-42
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
The AD user password change using the above methods must follow the AD password policy. You must 
check with your AD administrator to know the complete AD password policy rule. AD password policy 
important rules are:
Enforce password history N passwords remembered 
Maximum password age N days 
Minimum password age N days 
Minimum password length N...

    Page 195

    Page 195 8-43 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened: NoteDial-in users are not supported by AD in ACS. This section contains the following topics: Machine Authentication, page 8-43 Attribute Retrieval for Authorization, page 8-44... 
    8-43
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to 
communicate with AD. The following are the default ports to be opened: 
NoteDial-in users are not supported by AD in ACS.
This section contains the following topics:
Machine Authentication, page 8-43
Attribute Retrieval for Authorization, page 8-44...

    Page 196

    Page 196 8-44 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Attribute Retrieval for Authorization You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level for the user or machine. ACS retrieves user and machine AD attributes after a successful user or machine... 
    8-44
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Attribute Retrieval for Authorization
You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group 
mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level 
for the user or machine. 
ACS retrieves user and machine AD attributes after a successful user or machine...

    Page 197

    Page 197 8-45 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machine authentication to user authentication and authorization process. The most common usage of MAR is to fail authentication of users whose host machine does not successfully authenticate. The MAR is effective for all authentication protocols. MAR functionality is based on the following... 
    8-45
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Machine Access Restrictions
MAR helps tying the results of machine authentication to user authentication and authorization process. 
The most common usage of MAR is to fail authentication of users whose host machine does not 
successfully authenticate. The MAR is effective for all authentication protocols. 
MAR functionality is based on the following...

    Page 198

    Page 198 8-46 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The Engineers rule is an example of MAR rule that only allows engineers access if their machine was successfully authenticated against windows DB. The Managers rule is an example of an exemption from MAR. Dial-in Permissions The dial-in permissions of a user are checked during authentications or queries from Active Directory. The dial-in check is... 
    8-46
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
The Engineers rule is an example of MAR rule that only allows engineers access if their machine was 
successfully authenticated against windows DB.
The Managers rule is an example of an exemption from MAR.
Dial-in Permissions
The dial-in permissions of a user are checked during authentications or queries from Active Directory. 
The dial-in check is...

    Page 199

    Page 199 8-47 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Active Directory are supported on the following servers: Windows server 2003 Windows server 2003 R2 Windows server 2008 Windows server 2008 R2 ACS does not support Dial-in users on Windows 2000. ACS Response If you enable the dial-in check on ACS Active Directory and the users dial-in option is Deny... 
    8-47
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Dial-in Support Attributes
The user attributes on Active Directory are supported on the following servers:
Windows server 2003
Windows server 2003 R2
Windows server 2008
Windows server 2008 R2
ACS does not support Dial-in users on Windows 2000.
ACS Response
If you enable the dial-in check on ACS Active Directory and the users dial-in option is Deny...

    Page 200

    Page 200 8-48 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Joining ACS to an AD Domain After you configure the AD identity store in ACS through the ACS web interface, you must submit the configuration to join ACS to the AD domain. For more information on how to configure an AD identity store, see Configuring an AD Identity Store, page 8-48. NoteThe Windows AD account, which joins ACS to the AD domain, can... 
    8-48
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Joining ACS to an AD Domain
After you configure the AD identity store in ACS through the ACS web interface, you must submit the 
configuration to join ACS to the AD domain. For more information on how to configure an AD identity 
store, see Configuring an AD Identity Store, page 8-48.
NoteThe Windows AD account, which joins ACS to the AD domain, can...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals